Friday, 28 November 2014

Our chums at the MoJ are seeking our views on the ICO's performance. Evidently, as part of the UK Government's requirement to reform public bodies, all non departmental public bodies must be reviewed at least once every three years.

This review will examine whether there is a continuing need for the ICO
to carry out its functions, and whether the organisation should continue to
operate in its current form, considering whether services could be provided
more effectively and efficiently.

We, the
people, have been asked to respond to the questions that are set out below:

1.With regard to the ICO’s functions to enforce and
oversee the DPA and a range of a different regulations,

a.Do you consider, in relation to any or all of
the above, that the provision of their services to individual users and to
organisations remains necessary? Please explain your reasons for your
answer.

b.Do you consider that services provided by the ICO
in these areas could be improved? Please explain your reasons for your answer.

c.Do you consider that services provided by the ICO
could be delivered differently? Please explain your reasons for your answer,
including any examples from other regulators or comparable international
bodies.

2.Is the independence of the ICO best supported by
reporting to Parliament or to a government department such as the Ministry of
Justice? Please explain your reasons for your views.

3.With continually changing technology, an increased
use of social media and the internet, do you believe the ICO will continue to
be fit for purpose?

4.Do you have any additional comments you would like
to submit as evidence to the review?

The deadline
for responding is 16th January. Bearing in mind that the data
protection Xmas party season starts next week (with the Data Protection Forum’s
famous December meeting, which always ends with a marvelous festive lunch), we
actually haven’t got that long to think about our responses.

What are we
likely to say?

In response
to Q1, I expect respondents will be split between those who don’t think the ICO
is sufficiently effective, given its budgetary constraints, and those who are
pretty content with the current state of affairs, as the only time they usually
come into contact with the Information Commissioner and his team is when they
attend the ICO’s annual Data Protection Officer Conference in Manchester each
April, or when they attend other events where an ICO official is speaking. Or
perhaps when they pay their annual registration fee.

Many people
may well have heard of the ICO’s enforcement (and audit) teams, but much fewer
will have been visited by the ICO’s staff during the year, so they may not
fully appreciate just what all the 350-odd ICO employees really do all day.

This might,
however, prove to be a useful opportunity to compare the size of different
regulatory bodies, and to ask whether the ICO is appropriately resourced. Is it
sufficient to the ICO to be expected to spend some spend some £16 million on data protection work when the Financial
Ombudsman Service is likely to require an operating budget of over £250 million for 2014 / 15?

That
statistic tells me a lot about the problem at hand. If the Government really
wanted to properly enforce the laws it has passed, it needs to ensure that the
right resources are available. Perhaps “data protection compliance” is similar
to the “right to be forgotten” or “a fundamental right”– a soundbite that trips easily off the
tongue, but is really hard to pin down in practice.

In response
to Q2, I expect that the balance of views will be for the ICO to report to, and
be funded by, Parliament, rather than a Government Department. If the
Parliamentary and Health Services Ombudsman (with an operating budget of some
£33 million) can report directly to Parliament, then so should the ICO.

In response
to Q3, I’m not sure how many people can answer this. Does the question invite
us to ponder how effective the ICO will be in a world where many huge data
controllers will operate from countries outside the ICO’s ambit? If so, perhaps
this is where we need to put a word in for the Global Enforcement Network, and
hope that the ICO has enough funds in the kitty for its staff to travel to all
corners of the earth and liaise with local regulators.

In response
to Q4, I wonder how many respondents will point out that should the UK vote to
weaken our links with countries that remain within the EU, then it will be even
more important for a suitably equipped ICO to be able to deal with data
protection standards and opinions emerging from European data protection regulators,
and make sure that the standards can be interpreted in ways that meet the needs
of pragmatic Brits.

As well as
advising on rules that are sufficiently robust to persuade the EU that the UK
has affords its citizens an adequate level of protection.

Thursday, 27 November 2014

Usually, when an extremely large
organisation recalibrates their customers’ privacy expectations, we can expect
howls of indignation to emerge from the fundamentalist wing of the data
protection community.

So, on learning that Twitter was evidently
going to snoop on every app in their customers’ phones, I sat back and waited
for the reaction.

Have I heard anything from the Article 29
Working Party yet? Nope.

Have I heard anything from the ICO yet? Nope.

Have I heard anything from BigBrotherWatch
yet? Nope.

Perhaps Twitter isn’t the type of extremely
large organisation that naturally attracts instant fury from the usual suspects.After all, only 284 million people use
Twitter every month.

Evidently, people are more concerned at
whatever Google or Facebook might be doing with their customers’ information,
rather than (relatively) tiny Twitter.

But things may change. When I recall the
torrents of abuse that usually accompany any G or FB privacy announcement, even
when they’re trying their hardest to make things more transparent to their
customers, I do wonder how Twitter will deal with the feedback that will
emerge.

Of course, it may be that Twitter fully
briefed the Article 29 Working Party and the European Commission about its
announcement, and stressed the ease with which customers will be able to object
to Twitter automatically opting everyone into its new data collection service.

We can expect the usual concerns. Why
should people have to opt out? Why is it the case that they have all been
automatically opted in?

These are sorts of issues that I frequently
help my clients deal with.

From a “privacy by default” perspective, I
can understand why the DP Taliban would be upset.

But life isn’t always about opting in.At least Twitter is being transparent about
what they are doing, and they’ve developed a user education programme that
informs individuals of the choices that are now before them. They’re trying to
be innovative and are trying to remind customers of the “value exchange” that
exists when people subscribe to a “free” service.

If Twitter’s users don’t want their apps to
be logged, they can always object. And if they really really don’t like what’s
happening, they can always cancel their Twitter account.

Wednesday, 26 November 2014

I have a range of expectations when it
comes to having my communications monitored.

I don’t want spam, so I expect my communications
and internet service providers to do whatever they feel appropriate to prevent
it from reaching and clogging up my in-boxes. This means that my incoming
communications will be reviewed – perhaps not the actual content of a message,
but at least on the basis of the metadata that accompanies the content.

If, for
example a provider notes that a huge volume of communications of an identical
length are uncharacteristically spewing out of a single address, I would expect
it to carry out some form of investigation in an attempt to determine to
whether the communications are solicited or otherwise.

By the same token, I don’t want my outgoing
messages monitored.Whatever I have to
say is for me to determine. Surely, this is what freedom of expression is all
about.

When working for EE, I had to address the
issue of what steps the company should take to ensure that not only was the
confidentiality of its customers’ communications preserved, but also that if
what appeared to be inappropriate activity came to EE’s notice, it was reported
to the appropriate authorities.

Inappropriate activity was invariably
discovered by chance, rather than as a result of a deliberate effort to monitor
a customer’s lifestyle. It was very occasionally discovered when customers left their
own mobile devices in stores in order that the device could be repaired. Staff had very strict instructionsneverto look at any content the customer may have left on their personal devices. However,
it was necessary to ensure that, when borrowed devices were returned
to the store, the factory settings had been restored and that no inappropriate
content (in the form of personal texts or images) remained on the borrowed device.

There were a few horror stories of
customers alleging that they had borrowed a mobile phone from a store whilst
their own device was being repaired, and were shocked at the images that had
apparently been left by a previous user. Sometimes they would demand
compensation, otherwise they would tell the media. Occasionally, they forgot to
look at the date / timestamps – if they had, they would have realised that the
offending images were downloaded to the device after the device had left the
store, not before.

Very, very infrequently, loan devices were
returned with images that were considered so disturbing that I reported the incident to the police. The only
occasions I can recall involved images relating to child cruelty. Quite what
happened to the people who were responsible for such cruelty, I’ll never know. I
saw it as my job just to make sure that the appropriate police force was
formally notified. If that force decided to take any further
action against the individuals involved, that was a matter for them.

I certainly didn’t think that I had any
further duty to monitor those individuals. I had neither the skills nor the
legal powers to do such a thing.

That’s what I expect law enforcement
officers to do.

And that’s why I’m reassured, in a way, that an “unnamed”
internet service provider has recently been criticized for failing to closely monitor
the communications of one of their customers who turned into a terrorist.

I don’t expect my service providers to have
the means (or the will) to monitor all of my communications manually, and consider
contextually, whether any are sufficiently offensive for them to be reported to the
authorities.

Yes, they may well have some automatic
programmes in place that identify the most egregious communications / images that are sent by criminals, and I'm happy for the digital fingerprints of my images to be compared with those that the authorities are trying to prevent from being circulated. I understand that the illegal list really does contain just the most appalling images, not those that "the man on the Clapham omnibus" would merely consider distasteful.

However, I do expect my service providers,
wherever they are based in the world, to develop close working relationships
with the UK’s law enforcement community, in order that when investigators do
exercise their legal powers to monitor my communications, providers can respond
speedily.

Monday, 24 November 2014

Finally – after a two year wait,
another of the recommendations in the report I helped the Joint
Parliamentary Committee on the Draft Communications Data Bill agree upon will
make a little more headway.

First, a recap.

During the autumn of 2012, the
Committee reviewed the thorny issue of IP address resolution. It gave
what was has just been announced by Home Secretary Teresa May the green light.

This is what the report said:

73. As outlined in paragraph 65, Home Office
officials eventually told us in public evidence that they would like clause 1
to enable them to access two specific types of data: subscriber data relating
to IP addresses and web logs.

74. Subscriber data relating to IP addresses
is the information that makes it possible to trace who is using an IP address
at a given point in time. An IP address is a numerical label assigned to a
device connected to the internet (e.g. a computer, smart phone or printer). The
IP address of a device is not constant; it may change frequently and be shared
between several devices. The originating IP address of a communication is
routinely gathered in many types of internet transaction, but if the CSP does
not hold information on which of its subscribers held which IP address at a
particular point in time it is very hard for law enforcement authorities to
prove an association between an action on the internet and a particular
individual. Not all United Kingdom providers currently obtain all the data
necessary to trace which subscriber is using which IP address. During the
course of our inquiry we heard of various circumstances in which the lack of
this data has impeded investigations. We accept that if CSPs could be required
to generate and retain information that would allow IP addresses to be matched
to subscribers this would be of significant value to law enforcement. We do not
think that IP address resolution raises particular privacy concerns.

75. We recommend that a narrower clause 1
should allow notices to be served on CSPs requiring them to generate and retain
subscriber data relating to IP addresses.

This was one of the 38 issues that the report recommended be addressed. Obviously, not all of the recommendations required changes in the law before they could be implemented, and work is already underway to implement most of those that don't require legislative change.

Quite why we have had to wait so
long for this eminently sensible recommendation to be implemented is something
that only the Home Secretary can explain. I’m certainly not aware that the main
political parties have ever challenged it.They didn’t at the time of the report’s
publication – and they haven’t done so since. Evidently, it is not easy to find the parliamentary time to change laws, these days.

Will the ability to trace what
device is using an IP address at a given point in time be of significant value
to law enforcement investigators? – Quite probably.

Will it enable law enforcement
investigators to better understand the types of communications that suspects
are engaged in? – Quite probably.

Will it enable law enforcement
investigators to break encryption tools applied by targets who use their
devices for nefarious purposes? – Probably not.

But will it be useful to law
enforcement investigators in other ways? Oh yes!

And are you going to tell me what
they are?Oh no.

Update:

I've just noted that the (usually) reliable Register has reported that a Liberal Democrat spokesperson has commented:This announcement is welcome news but comes after months of Conservative foot dragging. They always bang on about new security powers but have done nothing about IP addresses since we called for it in Spring 2013.I don't think its right for the Lib Dems to take all the credit for today's announcement. They didn't "call for it" first. The Joint Parliamentary Committee did.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.